On Sun, 2011-02-20 at 16:10 +0000, E2IA wrote: > > 2011/2/20 Andrew Beverley <andy@xxxxxxxxxxx>: > > On Sun, 2011-02-20 at 15:13 +0000, E2IA wrote: > >> Hi all i'd like to know if it is possible to mark packet and accept in > >> the single iptable rule. > > > > There shouldn't be any need to do this. > > > >> i've these 2 rules: > >> > >> /usr/local/sbin/iptables -t mangle -A FORWARD -m layer7 > >> --l7proto yahoo -j MARK --set-mark 74 > >> /usr/local/sbin/iptables -t mangle -A FORWARD -m mark --mark > >> 74 -j ACCEPT > >> > >> but it seam that the second rule is never match. > > > > The second rule *should* be matched. What makes you think that it is > > not? Remember: a packet ACCEPTed in one chain can be DROPed later. > > > > It might be worth you posting your complete set of rules. > > [ Top posting fixed ] > Hi here is my complete rule set: > #!/bin/bash > #script Shapping marker config > /usr/local/sbin/iptables -t mangle -F FORWARD > /usr/local/sbin/iptables -t mangle -A FORWARD -m layer7 > --l7proto yahoo -j MARK --set-mark 74 > /usr/local/sbin/iptables -t mangle -A FORWARD -m mark --mark 74 > -j ACCEPT <snip> > /usr/local/sbin/iptables -t mangle -A FORWARD -m layer7 > --l7proto http -j MARK --set-mark 9 > /usr/local/sbin/iptables -t mangle -A FORWARD -m mark --mark 9 -j ACCEPT <snip> > /usr/local/sbin/iptables -t mangle -A FORWARD -m layer7 > --l7proto finger -j MARK --set-mark 6 > /usr/local/sbin/iptables -t mangle -A FORWARD -m mark --mark 6 -j ACCEPT > /usr/local/sbin/iptables -t mangle -A FORWARD -j ACCEPT > # End > > When doing yahoo messenger it is http, skype and finger witch are > match enven yahoo is the first rule. > but when i keep yahoo rule alone yahoo is mach when doing yahoo messenger. > It's been a while since I played with l7-filter, but I suppose it could be something to do with the way that it is classifying packets (it sometimes has to see a significant amount of data before it matches some protocols). You might want to try the following for your rules instead, but if your problem is something to do with l7-filter then it may not help: iptables -t mangle -A FORWARD -m mark --mark 0 \ -m layer7 --l7proto yahoo -j MARK --set-mark 74 iptables -t mangle -A FORWARD -m mark --mark 0 \ -m layer7 --l7proto http -j MARK --set-mark 9 This will only match and mark packets if they haven't already been marked. The disadvantage of this is that all packets will traverse all rules making it less efficient. If you still can't get it to work, you should maybe try asking over at the l7-filter project. Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
